[qzw]

There already are "security consultants" who will do the dirty work of paying the ransom and handing the victim the decryption key. Pretty hard to stop that sort of thing, no?

[gruez]

Make it strict liability? ie. if you paid for a "consultant" and it just so happens that he paid off the ransomware operators without your knowledge, you'll still be liable

[qzw]

That's going to be nearly impossible to enforce, because the first thing that will probably happen is that companies will stop reporting ransomware attacks. And these "consultants" could be based anywhere, as well as further outsource their work to independent contractors, shell companies, etc. So getting hard evidence that's there's been a ransom payment will likely be a wild goose chase.

[viraptor]

That would run against law as it stands in most places https://en.wikipedia.org/wiki/Mens_rea

[mcguire]

That would be the "strict liability" part.

[only_as_i_fall]

And then what? You hand your engineers a decryption key and hope they don't ask questions?

[qzw]

More likely the "consultants" will handle the decryption process, and the company's own engineers, who are probably already shell-shocked and under huge pressure, will be told to just be thankful that the experts have secret, proprietary technology to deal with the ransomware. Even if the engineers want to be whistleblowers (at the risk of sacrificing their own jobs/careers), it'll be pretty hard to get enough conclusive evidence that a ransom was paid.